The invention concerns generally the field of transmitting data in the form of packets between computers in a network. Especially the invention concerns the secure transmission of data packets in a network comprising so-called virtual routers.
A network is an arbitrary aggregate of computer devices linked together through wire, cable, fibre and/or wireless connections for transmitting data in the form of packets. The computer devices in a network may be classified to hosts and routers. A host is a computer device in a network arranged to process packets destined to itself, whereas a router is arranged to process packets both to itself and packets destined to other computer devices of the network. Routers may further be sub-classified; some sub-classes are for example IP routers (Internet Protocol) and access routers. The present invention concerns generally the operation of routers, but it has implications also to the operation of other computer devices in a network.
A simple router 100, illustrated in FIG. 1a, has a number of input lines 101, a number of output lines 102 (which may physically be the same as the input lines) and a routing processor 103 capable of taking the packets coming on the input lines and forwarding them to the correct output lines in accordance with some explicit or implicit information about the destination of the packets. In the usual case the router has previously stored routing tables that dictate the correct handling of packets. Explicit information above means that each packet contains information about how it should be processed, and implicit information means that from a certain context the router knows how to handle the packet. The router may have obtained the necessary implicit knowledge from some previous packets, or each packet may have a context identifier revealing the correct context.
Recently, the concept of virtual routers has been introduced, as in FIG. 1b. A virtual router 110, 111 or 112 is a logical concept instead of a physical one. A single physical computing device 113 in a network may house a number of virtual routers that use the same hardware, i.e. the same physical input lines 114 and output lines 115 (which may again physically be the same as the input lines) and the same processor 116. Conceptually the virtual routers are separate entities, and a suitable multiple access scheme is applied to share the common physical resources between them. It is even possible to construct a virtual network where the connections between hosts go through virtual routers. Multiple virtual networks may rely on the same cabling and the same physical routers without having any knowledge of each other. This is a popular way of implementing virtual private networks or VPNs, each of which can serve for example as the backbone network connecting the branch offices of a large company together.
Instead of a simple cable, two mutually communicating physical routers supporting virtual routers may also be connected by an arbitrarily complex network capable of transmitting data between its nodes. Such a network may contain intermediate routers that may or may not be aware of the multiple virtual networks going through them. There may be numerous physical (possibly routed) paths between any two nodes in the network. The paths may include wireline, cable, fibre and/or wireless segments.
Virtual networks raise a problem in packet labeling, because in the known labeling schemes it is difficult to identify the virtual network to which the packet belongs. In FIG. 2a, a typical data packet 200 comprises a header 201, a payload or data portion 202 and possibly a checksum 203 (CRC; Cyclic Redundancy Check). The header 201 is arranged into fields that contain, among other information, a source address (not separately shown) identifying the sender of the packet and a destination address (not separately shown) identifying the intended recipient of the packet. As such, the packet can only traverse the logical network in which the addresses are valid, i.e. where the network addressing scheme enables the correct recognition of the sender and the intended recipient. It is possible to temporarily transmit the packet over a different logical network, but the packet must be suitably encapsulated and relabeled.
The process of encapsulating data packets for transmission over a different logical network is called tunneling. Typically, in the case of the IP protocol, tunneling involves adding a new IP header in front of the original packet, setting the protocol field in the new header appropriately, and sending the packet to the desired destination (endpoint of the tunnel). Tunneling may also be implemented by modifying the original packet header fields or replacing them with a different header, as long as a sufficient amount of information about the original packet is saved in the process so that it will be possible to reconstruct the packet at the end of the tunnel into a form sufficiently similar to the original packet entering the tunnel. The exact amount of information that needs to be passed with the packet depends on the network protocols, and information may be passed either explicitly (as part of the tunnelled packet) or implicitly (by the context, as determined e.g. by previously transmitted packets or a context identifier in the tunneled packet).
In the case of tunneling IP traffic between routers over a single network cable or an arbitrarily complex network, a packet is typically wrapped in an outer IP header. The outer source IP address is set to the IP address of the sending node, the outer destination IP address is set to the IP address of the endpoint of the tunnel, and the outer protocol identifier is set to identify the tunneling method. However, if the next router is a virtual router, this simple scheme is not necessarily applicable, because virtual routers typically do not have an IP address of their own. It is not practical to assign a separate IP address to each virtual router, because the number of virtual routers is expected to become very large (there may be hundreds of virtual routers in a single physical computing device) and the number of available IP addresses is limited. Extending the available IP address space by making the IP addresses longer is also not reasonable because it would require a protocol update in millions of computing stations around the world.
Multi-protocol label switching MPLS (as discussed in the Internet Engineering Task Force IETF working groups) can be used to carry labels that identify the virtual network that the packets belong to. Alternatively, the L2TP protocol (also discussed in IETF working groups) can be used to tunnel PPP (point-to-point protocol) streams over networks, and can also be used to carry labeling information.
Problems with virtual routers arise also in the context of security mechanisms introduced to enhance the security of data traffic in public networks. The IETF (Internet Engineering Task Force) has defined a set of rules for adding security to the IP protocol and collected them under the designation IPSEC or IP security protocol. IPSEC provides cryptographic authentication and confidentiality of traffic between two communicating network nodes. It can be used in both end-to-end mode, directly between the communicating nodes or hosts, or in tunnel mode between firewalls or routers. Asymmetric connections, where one end is a host and the other end is a firewall or router are also possible. The most important RFC standards published by the IETF and relating to IPSEC are RFC-1825 xe2x80x9cSecurity Architecture for the Internet Protocolxe2x80x9d, RFC-1826 xe2x80x9cIP Authentication Headerxe2x80x9d and RFC-1827 IP Encapsulating Security Payload (ESP)xe2x80x9d, all by R. Atkinson, NRL, August 1995, all of which are hereby incorporated by reference. RFC stands for Request For Comments, which is an IETF form of standards and recommendations. A complete overview of IPSEC is available to the public at the time of filing of, this patent application at the internet address www.tcm.hut.fi/Tutkimus/IPSEC/ipsec.html.
IPSEC performs authentication and encryption on packet level by generating a new IP header, adding an Authentication Header (AH) or Encapsulating Security Payload (ESP) header in front of the packet. The original packet is cryptographically authenticated and optionally encrypted. The method used to authenticate and possibly encrypt a packet is identified by a security parameter index (SPI) value stored in the AH and ESP headers. The SPI is a 32-bit integer. Its value is usually pseudo-random, but negotiated and known to the two endpoints of the tunnel. The AH header is illustrated in FIG. 2b, where the column numbers correspond to bits. The fields of the known AH header are as follows: Next Header 211, Length 212, Reserved 213, Security Parameter Index 214 and Authentication Data 215. The length of the last field 215 is a variable number of 32-bit words.
The Encapsulating Security Payload (ESP) may appear anywhere in an IP packet after the IP header and before the final transport-layer protocol. ESP consists of an unencrypted header followed by encrypted data. The encrypted data includes both the protected ESP header fields and the protected user data, which is either an entire IP datagram or an upper-layer protocol frame (e.g., TCP or UDP). A high-level diagram of an exemplary secure IP datagram is illustrated in FIG. 2c, where the fields are IP Header 221, optional other IP headers 222, ESP header 223 and encrypted data 224. FIG. 2c also illustrates the two parts of the ESP header, which are the 32-bit Security Association Identifier (SPI) 223a and the Opaque Transform Data field 223b, whose length is variable. No virtual router identifier is carried as part of the IPSEC protocol.
It is an object of the present invention to present a method and an arrangement for enabling the identification of virtual networks and/or virtual routers in the course of tunneling data packets through a network. It is a further object of the invention that it is applicable in the course of secure tunneling of data between virtual routers irrespective of the actual method of implementing the packet authentication and/or encryption.
The objects of the invention are achieved by connecting a destination virtual router identity to the security association governing the handling of packets, so that a separate security association is used to send packets to each virtual router at the physical computing device identified by a certain network address.
It is characteristic to the method according to the invention that it comprises the steps of
a) establishing a security association for the secure transmission of data packets between the transmitting computer device and the receiving computer device,
b) identifying the transmitting virtual router and the receiving virtual router within said security association,
c) in the transmitting computer device, using the identification of the transmitting virtual router within the security association in the selection of the security association for processing a data packet coming from the transmitting virtual router,
d) in the receiving computer device, selecting the security association for processing a data packet coming from the transmitting computer device on the basis of values contained within the data packet, and
e) in the receiving computer device, directing the data packet processed within the security association to the receiving virtual router on the basis of the identification of the receiving virtual router within the security association.
The invention also applies to a method for transmitting data packets in a transmitting computer device, as well as to a method for receiving data packets in a receiving computer device. The transmitting method comprises the characteristic features a), b) and c) given above, and the receiving method comprises the characteristic features a), b), d) and e) given above.
Additionally the invention applies to a networked computer device for securely processing transmittable data packets. As features characteristic to the invention it comprises
a number of virtual routers,
means for establishing a security association for the secure transmission of data packets between the computer device and some other networked computer device,
means for identifying a certain virtual router to be used in association with an established security association, and
means for associating a piece of information identifying said certain virtual router with said established security association.
The invention relies on the concept of security association, which is a reserved term in the context of one specific protocol, but which can easily be generalised to cover all arrangements having similar features regardless of the actual protocol that is used. The specific protocol referred to above is the IKE or Internet Key Exchange protocol, which was previously known as the ISAKMP/Oakley, where the acronym ISAKMP comes from Internet Security Association Key Management Protocol. It defines a method for authenticating the communicating parties to each other, deriving a shared secret known only to the communicating parties, negotiating authentication and encryption methods to be used for the communication, and agreeing on a security parameter index (SPI) value and a set of selectors to be used for the communication. The IKE protocol will be published in the form of an RFC standard, but at the filing date of the present patent application it is already available to the public at the internet address ftp://ftp.nordu.net/internet-drafts/draft-ietf-ipsec-isakmp-oakley 08.txt which is hereby incorporated by reference.
According to the IKE protocol, the result of a negotiation between the communicating parties is one or more security associations or SAs. A security association specifies a set of selectors that indicate which packets the SA should be applied to, the type of the transformation applied to protect the packets (e.g. AH or ESP), the SPI, the encryption and/or authentication methods to apply, and the tunneling method and tunnel destination. The invention adds at least one new selector to a security association: the virtual network identifier. In some embodiments of the invention there are at least two new selectors to be added to the security association: the source virtual router identifier and the destination virtual router identifier. Additional selectors may be added according to need. The added selector(s) may be represented explicitly (e.g. as integers identifying the virtual network) or implicitly (e.g. by the queues and memory addresses in which the packet is stored and the routing tables by which it is processed). Advantageously the added selector(s) do(es) not form part of the actual data packet, but represent(s) information associated with the packet within a computing system.
The novel features which are considered as characteristic of the invention are set forth in particular in the appended Claims. The invention itself, however, both as to its construction and its method of operation, together with additional objects and advantages thereof, will be best understood from the following description of specific embodiments when read in connection with the accompanying drawings.